[27849] in Kerberos
Re: Use ssh key to acquire TGT?
daemon@ATHENA.MIT.EDU (Adam Megacz)
Fri Jun 1 12:53:46 2007
To: kerberos@mit.edu
From: Adam Megacz <megacz@hcoop.net>
Date: Fri, 01 Jun 2007 09:44:47 -0700
Message-ID: <x38xb3aakg.fsf@nowhere.com>
Mime-Version: 1.0
X-Complaints-To: usenet@sea.gmane.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Thanks for taking the time to reply, Russ.
Russ Allbery <rra@stanford.edu> writes:
> PKINIT already exists and is already standardized,
Hrm, last I checked there was no RFC, just an internet-draft.
> so using X.509 certificates is much easier than using ssh private
> keys.
Perhaps for administrators it might be, but I would guess that there
are at least 10x as many active ssh keys on the internet as X.509
certificates even in spite of the latter having been aroudn longer.
But it shouldn't be hard to define a "default wrapping" for the ssh
key material as an X.509 certificate.
> (such as how to communicate the TGT back to the client securely).
The client would have to keep the equivalent of a "host key" for the
KDC. IMHO the usual "asymptotically secure" approach (no security on
the first connection, but complain loudly if the key changes on any
subsequent connection) would probably be good enough.
- a
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
